Threshold Cryptosystems From Threshold Fully Homomorphic Encryption

Transcription

1 Threshold Cryptosystems From Threshold Fully Homomorphic Encryption Dan Boneh Rosario Gennaro Steven Goldfeder Aayush Jain Sam Kim Peter M. R. Rasmussen Amit Sahai Abstract We develop a general approach to adding a threshold functionality to a large class of (nonthreshold) cryptographic schemes. A threshold functionality enables a secret key to be split into a number of shares, so that only a threshold of parties can use the key, without reconstructing the key. We begin by constructing a threshold fully-homomorphic encryption scheme (TFHE) from the learning with errors (LWE) problem. We next introduce a new concept, called a universal thresholdizer, from which many threshold systems are possible. We show how to construct a universal thresholdizer from our TFHE. A universal thresholdizer can be used to add threshold functionality to many systems, such as CCA-secure public-key encryption (PKE), signature schemes, pseudorandom functions, and others primitives. In particular, by applying this paradigm to a (non-threshold) lattice signature system, we obtain the first single-round threshold signature scheme from LWE. 1 Introduction Threshold cryptography [DF89, Fra89, DDFY94] is a general technique used to protect a cryptographic secret by splitting it into N shares and storing each share on a different server. Any subset of t servers can use the secret without re-constructing it. However, an adversary that compromises t 1 servers should not be able to recover or use the secret. Two examples of threshold tasks are: Threshold signatures: distribute the signing key of a signature system among N servers, so that any t servers can generate a signature. The scheme must provide anonymity and succinctness. Anonymity means that the same signature is produced, no matter which subset of t servers is used. Succinctness means that the signature size can depend on the security parameter, but must be independent of N and t. Threshold decryption: distribute the decryption key of a CCA-secure public-key encryption scheme among N servers, so that any t servers can decrypt. The scheme must be succinct, meaning that ciphertext size must be independent of N and t. This work is a merge of two closely related papers [BGGK17, JRS17]. Stanford University. dabo@cs.stanford.edu. City College of New York. rosario@cs.ccny.cuny.edu. Princeton University. stevenag@cs.princeton.edu. UCLA and Center for Encrypted Functionalities. aayushjain@cs.ucla.edu Stanford University. skim13@cs.stanford.edu. UCLA and Center for Encrypted Functionalities. rasmussen@cs.ucla.edu UCLA and Center for Encrypted Functionalities. sahai@cs.ucla.edu 1

2 Moreover, the time to verify signatures or encrypt messages should be independent of N and t. Other threshold tasks include threshold (H)IBE key generation, threshold ABE key generation, threshold pseudorandom functions, and many others (see Section 1.2). All have similar anonymity, succinctness, and efficiency requirements. A common goal for threshold systems is to minimize the amount of interaction in the system, and in particular, construct one-round schemes. For example, in the case of signatures, an entity called a combiner wishes to sign a message m. The combiner sends m to all N servers, and some t of them reply. The combiner combines the t replies, and obtains the signature. No other interaction is allowed. In particular, the servers may not communicate with one another, or interact further with the combiner. Similarly, for threshold decryption, the combiner sends the ciphertext to all N servers, some t servers reply, and the combiner combines the replies to obtain the plaintext. No other interaction is allowed. We will often refer to the servers as partial signers or partial decryptors. Many signature and encryption schemes have been thresholdized. For example, RSA signatures and encryption [Fra89, DDFY94, GRJK07, Sho00], Schnorr signatures [SS01], (EC)DSA signatures [GJKR01, GGN16], BLS signatures [BLS04, Bol03], Cramer-Shoup encryption [CG99], Regev encryption [BD10], and many more [SG02, DK05, BBH06]. Despite this great success, thresholdizing many basic lattice-based cryptographic primitives has been challenging. For example, it is still an open problem to construct lattice-based one-round threshold signatures or CCA-secure threshold PKE satisfying strong succinctness properties, as discussed in related work (Section 1.2). Thresholdizing more advanced lattice-based primitives, such as fully homomorphic encryption or functional encryption, has been largely unexplored. 1.1 Our Contributions Our main contributions are twofold. First, we define the notion of threshold fully homomorphic encryption (TFHE) and construct it from the learning with errors assumption (LWE). As in a threshold PKE, a threshold FHE scheme allows the decryption key to be split into shares such that any t-out-of-n partial decryptions can be combined into a complete decryption of a given ciphertext in a single round. Furthermore, an evaluated ciphertext should be compact meaning that its size is independent of the original message and the number of decryptors N (Section 5.1). Second, we present general framework for universally thresholdizing many (non-threshold) cryptographic schemes using threshold-fhe. This framework lets us resolve the long-standing problem of one-round threshold signatures from lattices. Threshold FHE. A general obstacle to constructing succinct threshold cryptosystems from lattice assumptions is the noise blow up that results from a multiplication by a large Lagrange coefficient. We handle this difficulty in two different ways. Our first method relies on linear secret sharing schemes where the reconstruction coefficients are always binary. We show that this class of secret sharing schemes is compatible with the decryption operation of a fully homomorphic encryption scheme and is also expressive enough to contain threshold access structures, along with other more general structures. In our second method, we focus on using the standard t-out-of-n Shamir secret sharing scheme, but we modify the noise distribution such that a multiplication by a Lagrange coefficient does not blow up the noise too much. By combining our methods with a suitable FHE scheme, we obtain a secure TFHE (Section 5.2 and 5.3) with strong compactness properties. A universal thresholdizer. Our second contribution is a general framework for universally thresholdizing many (non-threshold) cryptographic schemes using a TFHE. For this, we define a 2

3 new primitive called a universal thresholdizer. We show how to construct a universal thresholdizer with strong compactness properties from our TFHE scheme (Section 7). A universal thresholdizer takes in a cryptographic key and produces a number of key shares that can be used to individually evaluate a cryptographic function. Each of these individual evaluation shares can then be combined to result in the final evaluation of the function. We require that the scheme guarantees privacy meaning that no t 1 key shares or their evaluation shares reveal any information about the original key. Furthermore, we require that the scheme satisfies robustness, meaning that a maliciously generated evaluation share can always be detected. With these guarantees, a universal thresholdizer scheme can be used to thresholdize many different types of systems. For example, we can take any (non-threshold) signature scheme as a black box and construct from it a one-round threshold signature scheme (Section 8.2). Since a universal thresholdizer can be proven secure based on LWE, and because there are known (non-threshold) signature schemes based on LWE [GPV08, Boy10, Lyu12], we obtain the first one-round threshold signature scheme based on LWE that is both succinct and anonymous. This resolves a long-standing open problem in lattice-based cryptography. Beyond signatures, a universal thresholdizer can be composed with an existing CCA-secure PKE scheme [PW11, GPV08, Pei09, ABB10, MP12] to obtain the first lattice-based (one-round) threshold CCA-secure PKE where the public key size and encryption time are independent of the number of servers (Section 8.3). Similarly, composing universal thresholdizer with a functional encryption scheme gives functional encryption with threshold key generation. A universal thresholdizer, on its own, gives a function secret sharing scheme [BGI15, BGI16] that can support threshold access structures (Section 8.1). Decentralized threshold FHE. Our basic TFHE scheme requires a trusted setup procedure to split the secret FHE key into shares. In Section 6, we define a decentralized threshold fully homomorphic encryption (dtfhe). In a dtfhe scheme, each decryption server generates its own public/secret key pair. At encryption time, the encryptor specifies a set of public keys and a threshold t to produce a ciphertext that can only be decrypted by combining t partial decryptions corresponding to the specific public keys. We construct a dtfhe in Section 6.2. However, while it achieves the added flexibility of decentralized key generation, our dtfhe scheme does not satisfy as strong compactness properties as our TFHE and universal thresholdizer. We leave improving the compactness of our dtfhe as an important open problem. 1.2 Related Work on Threshold Lattice Systems Before describing our results, we first survey the existing work on threshold lattice cryptosystems. Non-compact systems. We begin with threshold systems that have public key and ciphertext/signature sizes that are linear in N. Bendlin and Damgård [BD10] gave a threshold version of Regev s CPA-secure encryption scheme [Reg09], and Myers et al. [MSS11] applied the technique to fully homomorphic encryption. Xie et al. [XXZ11] gave a threshold CCA secure PKE scheme from lossy trapdoor functions, which can be instantiated from LWE [PW11]. In all these schemes, both the size of the public key and the ciphertext scales at least linearly in the number of decryptors. For signatures, Cayrel et al. [CLRS10] gave a lattice-based threshold ring signature scheme in which at least t signers are needed to create an anonymous signature. In this system, each signer has its own public key, and the verification time of a signature grows linearly with the number of signers. 3

4 Online/offline systems. The threshold Gaussian sampling protocol of Bendlin et al. [BKP13] as well as the commitment and zero-knowledge protocols of Baum et al. [BDOP16] provide compact threshold cryptosystems. However, the limitation of these systems is that the servers can only perform an a priori bounded number of online non-interactive decryption/signing operations before they must perform an offline interactive step. N-out-of-N systems. Recent advances in low-round MPC from LWE [AJLA + 12, GLS15, MW16, BP16, PS16] give threshold cryptosystems for N-out-of-N thresholds. In these constructions, each party that is involved in the protocol encrypts an input to a joint function using an FHE scheme and broadcasts the ciphertexts to other parties. Then, each party homomorphically evaluates on the ciphertexts that it receives and participates in a single round distributed decryption protocol. If a trusted authority thresholdize an FHE key at setup and distribute the keys to each servers, then the single round distributed decryption protocol gives a N-out-of-N threshold FHE with trusted setup. The goal of this work is to construct cryptosystems that support arbitrary thresholds. Fully-thresholdized systems. Very few existing lattice cryptosystems overcome all the limitations described above. One exception is threshold distributed PRFs [BLMR13] built from key-homomorphic PRFs [BLMR13, BP14, BV15]. 2 Overview of the Main Construction In this section, we provide an overview of the main threshold fully homomorphic encryption (TFHE) construction and its applications to thresholdizing cryptographic systems through a universal thresholdizer. We provide the full TFHE construction in Section 5.2 and 5.3. We define and construct a universal thresholdizer scheme in Section 7 and discuss its applications in greater depth in Section Distributing FHE Decryption Our starting point is a standard LWE based fully homomorphic encryption schemes such as GSW [GSW13]. Recall that a ciphertext ct is a matrix in Z n m q and a secret key sk is a vector in Z n q for appropriately chosen LWE parameters n, m, q. To decrypt a ciphertext ct, the decryptor takes a specific column ct m of the ciphertext matrix and computes its inner product with the secret key sk. That is, the decryptor computes ct m, sk Z q. If the resulting value is small, the underlying plaintext is interpreted as 0; otherwise, it is interpreted as 1 (Definition 3.9). Since inner product is linear, one might try to thresholdize FHE decryption by applying Shamir t-out-of-n secret sharing to sk. This will produce N keys sk 1,..., sk N, one for each user. Then to decrypt a ciphertext ct, each user can compute the inner product ct m, sk i as its partial decryption. The combiner can then compute the Lagrange coefficients λ (S) i for some subset S {1,..., N} of size t and recombine the shares as λ (S) i ct m, sk i = ct m, λ (S) i sk i = ct m, sk. i S i S Unfortunately, this construction is insecure. For i {1,..., N}, every time decryptor i computes a partial decryption, it leaks information about its secret share sk i by publishing the inner product of sk i with a public vector ct m. 4

5 One way to resolve this issue is for decryptor i to add small additive noise to the inner product p i = ct m, sk i + noise. However, for a t-out-of-n threshold scheme, this additive error prevents correct reconstruction of the key. The Lagrange coefficients, when interpreted as elements in Z q, are large and therefore, blow up the noise when multiplied to the partial decryptions. A standard solution to this problem is called bit decomposition. For example, every decryptor can compute the inner product and scale it by powers of two as: p (j) i = 2 j ct m, sk i + noise (j), for j = 1,..., log 2 q. It sends {p (j) i } j to the combiner. However, such bit decomposition not only makes simulation of partial decryptions difficult in the security proof, but also leads to direct attacks due to the malleability of the partial decryptions. In this work, we show how to handle the noise blow up in two different ways. We provide the high level overview of the two techniques below. Using {0, 1}-LSSS. In our first method, instead of coping with the Lagrange coefficients directly in the construction, we abstract it out by using a different secret sharing scheme. In particular, we first define a class of access structures, denoted {0, 1}-LSSS, that consists of the set of access structures that can be supported by a linear secret sharing scheme where the reconstruction coefficients are always binary (Definition 4.13). More precisely, such secret sharing scheme divides a secret sk into a set of shares sk 1,..., sk N according to an access structure such that each share consists of a set of field elements in Z q, sk i = {s i,j } j [l] for a fixed bound l. For any set S [N] that satisfies the access structure, there exists a subset S i S sk i such that S s i,j = sk. It is not difficult to see that with this property, we can construct a correct TFHE scheme for any access structures in {0, 1}-LSSS. With careful analysis (Section 5.2), we can also show that using such special linear secret sharing scheme, all the partial decryptions are simulatable. The remaining question is how expressive is the class {0, 1}-LSSS? Two obvious access structures which are contained in {0, 1}-LSSS are undirected s-t-connectivity and N-out-of-N, but other than these, it is not clear what other useful access structures are contained in {0, 1}-LSSS. However, we show that, in fact, the class is fairly large and contains the set of access structures defined by monotone Boolean formulas [LW11]. A classic result of Valiant [Val84, Gol14] shows that every threshold function can be expressed as a polynomial size monotone formula. Therefore, a {0, 1}-LSSS contains the set of threshold access structures that we need. We start with the observation that the set of access structures defined by monotone Boolean formulas with input fan-out 1 (special monotone Boolean formula) belongs to {0, 1}-LSSS through a folklore algorithm [Bei96, GPSW06] Let C : {0, 1} N {0, 1} be a special monotone Boolean formula with an associated tree T whose internal nodes are assigned either AND or OR, and the N leaf nodes are INPUT gates that are assigned x i. Then, we can define a linear secret sharing scheme for s Z q described as follows. 1. Assign the root r of T with the secret to be shared s. 2. If r is an INPUT gate, then simply return. Otherwise: If r is an AND gate, then additively secret share k by sampling α r Z q and define two shares s l = α and s r = k α. 5

6 If r is an OR gate, then duplicate k into shares by setting s l = k and s r = k. 3. For each child node v l and v r, let T l and T r be the sub-trees having v l and v r as roots respectively. Then, recurse on the sub-trees T l and T r with secrets s l and s r respectively. At the end of the recursive process, each leaf node that is assigned x i is assigned with a secret share s i. It is not difficult to see that for x {0, 1} N, the secret s can be reconstructed from the set of shares {s i } xi =1 if and only if C(x) = 1. Furthermore, given {s i } xi =1 for C(x) = 1, the reconstruction procedure consists of simply identifying a subset of the shares S {s i } xi =1 (for the OR gates), and summing up the shares s = i S s i (for the AND gates). In Section 4.2, we prove that this construction indeed yields a correct and secure secret sharing scheme for special monotone Boolean formulas. Our next observation is that the secret sharing mechanism above can also be used for regular monotone Boolean formulas, which have multiple input fan-out. Consider a monotone Boolean formula C : {0, 1} N {0, 1} with multiple input fan-out that is bounded by l. Then, we can derive a new special monotone Boolean formula C : {0, 1} ln {0, 1} by letting every fan-out of an input gate of C to be a separate input. Now, applying the secret sharing mechanism above to C yields a set of shares {s i } i [ln] shares. Partitioning this set into the corresponding input x i in C, we get a set of N shares {s i,j } that still abides to the syntax of a linear secret sharing scheme required for {0, 1}-LSSS. Furthermore, since the circuit C can still be evaluated from C, the secret s can be reconstructed from the union of the set of shares i S {s i,j} for any satisfying set S. It remains to prove that this secret sharing scheme is secure under collusion. If so, then we obtain a secure TFHE scheme. We indeed show that this is the case. Clearing out denominators. Although the use of {0, 1}-LSSS to achieve threshold decryption results in a clean construction that does not require any significant modification to the existing fully homomorphic construction, the use of monotone Boolean formulas to express threshold access structure introduces significant overhead to the resulting TFHE construction. In particular, the size of the key shares sk i for i = 1,..., N is at least Ω(N 4 ), introducing significant space overhead. In Section 5.3, we introduce another approach where the share sizes are quasilinear Õ(N). We describe the precise trade-offs between the two methods in Section 5.4. The high level idea of our second method is to use the technique of clearing out the denominators [Sho00, ABV + 12]. The observation is that since the Lagrange coefficients are rational numbers, we can scale them to be integers. In particular, for a t-out-of-n secret sharing, for any set S of size t and i S, the term (N!) 2 λ (S) i is an integer. By modifying the construction so that every signer first scales the noise that it adds by (N!) 2, and sufficiently increasing the modulus of the scheme to support its additional noise growth, we can preserve correct reconstruction. In fact, with careful analysis (Section 5.3), such a TFHE construction can be made secure. An evident limitation of the method above is the increase in the modulus and hence, an increase in the size of the ciphertext. Since the size of elements in Z q increases by log N! = O(N log N) bits, the size of the ciphertext depends linearly on the number of servers N, violating our compactness requirement (Definition 5.2). However, we show that any non-compact TFHE can be boosted to a compact one by combining it with any compact (non-threshold) FHE. The idea is to first construct the notion of universal thresholdizer (Definition 7.1) via a (non-compact) TFHE scheme and then use the thresholdizer to thresholdize a compact FHE. We provide a high level description of the universal thresholdizer in Section 2.2 and provide the formal details of this boosting step in Section

7 2.2 Universal Thresholdizer: A General Tool We next put our new TFHE to use. We define a new primitive called a universal thresholdizer (UT) that can be used to thresholdize many existing systems including signatures (Section 8.2). The resulting systems are secure one-round threshold systems that also provide robustness guarantees against malicious key share holders. Our universal thresholdizer abstraction provides a modular design for threshold systems and also simplifies the proof of security. A UT scheme consists of a setup algorithm, an evaluation algorithm, and a combining algorithm. The setup of a UT scheme takes in a secret message x and divides it into a set of shares s 1,..., s N, which are distributed to N users. On input a circuit C, each user can independently compute an evaluation share y i of C(x) using their shares s i. For a set S = {y i } for which S t, the evaluation shares can be combined to produce y = C(x). For robustness, we define an extra verification algorithm that given C and y i, checks whether y i was computed correctly. The privacy guarantee of a UT scheme states that the shares s 1,..., s N as well as the evaluation shares y i can be simulated only given access to the circuit C and C(x). The robustness guarantee of a UT scheme simply states that it is hard for an adversary to produce an improperly computed evaluation share y i for a circuit C such that the verification algorithm accepts. With these security guarantees, it is easy thresholdize existing cryptographic functions. To demonstrate the idea, consider the case of distributed PRF where a key k can be divided into a number of key shares such that independent PRF evaluations using these key shares can be combined into a final PRF evaluation. To construct a distributed PRF F from a regular PRF F : K X Y, we sample a key k r K and invoke UT setup with k to generate the key shares s 1,..., s N. Then, to evaluate F on an input x X, each party generates the evaluation share y i for the circuit C x (k) = F (k, x). The evaluation share can then be combined in a threshold manner to produce the final PRF evaluation y = F (k, x). The robustness of F follows from the robustness condition of UT straightforwardly. To prove pseudorandomness of F, we simply erase the original PRF key k from the security experiment by invoking the privacy simulator of UT. This allows us to reduce pseudorandomness directly to the underlying PRF security game of F. In Section 7.1, we construct a robust universal thresholdizer using non-interactive zero knowledge proofs (NIZK). We note that constructing NIZK from lattices is still an open problem. However, our setting allows the use of NIZK with preprocessing [DMP88, LS90], which can be constructed from one-way functions and therefore, can be instantiated from lattices. A better way to ensure robustness is using homomorphic signatures (Section 7.2). Because homomorphic signatures [BF11, GVW15] give more compact proofs than NIZKs, we can get partial evaluations y i whose size is independent of the original secret message x and the size of circuit C that is used for the evaluation. Unlike NIZK, homomorphic signatures can be constructed from the SIS problem [GVW15]. 3 Preliminaries Basic Notations. For an integer n, we write [n] to denote the set {1,..., n}. We use bold lowercase letters (e.g.v, w) to denote vectors and bold uppercase letters (e.g.a, B) to denote matrices. Throughout this work, we will always use infinity norm for vectors. This means that for a vector x, the norm x is the maximal absolute value of an element in x. For any set X, we denote by P(X) as the power set of X. For any Y, Z {0, 1} n, we say that Y Z if for each index i [n] 7

8 such that Y i = 1, we have Z i = 1. We write λ for the security parameter. We say that a function ɛ(λ) is negligible in λ if ɛ(λ) = o(1/λ c ) for every c N, and we write negl(λ) to denote a negligible function in λ. We say that an event occurs with negligible probability if the probability of the event is negl(λ), and an event occurs with overwhelming probability if its complement occurs with negligible probability. For a distribution X over a finite domain Ω, we write ω X to denote that ω is sampled at random according to distribution X. For a uniform distribution, we simply write ω r Ω. For a distribution ensemble χ = χ(λ) over the integers, and an integer bound B = B(λ), we say that χ is B-bounded if Pr x χ(λ) [ x B(λ)] = Statistical Distance Definition 3.1 (Statistical Distance). Let E be a finite set, Ω a probability space, and X, Y : Ω E random variables. We define the statistical distance between X and Y to be the function defined by (X, Y ) = 1 2 Pr (X = e) Pr(Y = e) X Y. e E We next recall a technique of smuding out or hiding the presense of noise by overwhelming it with a much larger noise. Lemma 3.2 (Smudging Lemma [AJLA + 12, MW16]). Let B 1, B 2 N. For any e 1 [ B 1, B 1 ], let E 1 and E 2 be independent random variables uniformly distributed on [ B 2, B 2 ] and define the two stochastic variables X 1 = E 1 + e 1 and X 2 = E 2. Then (E 1, E 2 ) < B 1 /B Learning with Errors Definition 3.3 (LWE). Let n, m, q be positive integers and χ be some noise distribution over Z q. In the LWE(n, m, q, χ) problem, the adversary s goal is to distinguish between the two distributions (A, A T s + e) and (A, u) where A r Z n m q, s r Z n q, e χ m, and u r Z m q. For certain B lwe -bounded error distributions χ, the LWE(n, m, q, χ) problem is as hard as approximating certain worst-case lattice problems such as GapSVP and SIVP on n-dimensional lattices to within Õ(n q/b lwe) factor [Reg09, Pei09, ACPS09, MM11, MP12, BLP + 13]. 3.3 Cryptographic Primitives In this section, we review non-interactive zero knowledge proofs and fully homomorphic encryption. Additional definitions of basic cryptographic primitives are provided in Appendix A Zero Knowledge with Pre-Processing In this work, we consider a specific type of zero knowledge proof system where all but the last communication round between a prover and a verifier can be pre-processed offline. This is captured by a pre-processing step that generates a common reference string for the verifier σ V and a separate 8

9 common reference string for the prover σ P. Since only the last step of the communication is required for the online phase, the proof system can be viewed as a weaker variant of a non-interactive zero knowledge (NIZK) proof system. Such proof system, which we call zero knowledge proof system with pre-processing (PZK), can be constructed from a much weaker assumption than a standard NIZK proof system and is sufficient for this work. In particular, [DMP88, LS90] construct PZK from one-way functions. Definition 3.4. Let L be a language with relation R. A tuple of P P T algorithms PZK = (PZK.Pre, PZK.Prove, PZK.Verify) is a zero knowledge proof system with pre-processing if the following conditions are true. For (σ V, σ P ) PZK.Pre(1 λ ): 1. Completeness: For every (x, w) R, we have that: Pr[PZK.Verify(σ V, x, π) = 1 : π PZK.Prove(σ P, x, w)] = 1 where the probability is over the internal randomness of all the PZK algorithms. 2. Soundness: For every x / L, we have that: where the probability is over PZK.Pre. Pr[ π : PZK.Verify(σ V, x, π) = 1] = negl(λ) 3. Zero-Knowledge: There exists a PPT algorithm S such that for any x, w where V (x, w) = 1, the following two distributions are computationally indistinguishable: Homomorphic Encryption {σ V, PZK.Prove(σ P, x, w)} c {S(x)} In this section, we review the notion of fully homomorphic encryption. Definition 3.5 (FHE). A fully homomorphic encryption FHE scheme is a tuple of PPT algorithms FHE = (FHE.Setup, FHE.Encrypt, FHE.Eval, FHE.Decrypt) with the following properties: FHE.Setup(1 λ, 1 d ) (pk, sk): On input the security parameter λ, and a depth bound d, the setup algorithm outputs a key pair (pk, sk). FHE.Encrypt(pk, µ) ct: On input a public key pk, and a message µ {0, 1}, the encryption algorithm outputs a ciphertext ct. FHE.Eval(pk, C, ct 1,..., ct k ) ĉt: On input a public key pk, a circuit C : {0, 1} k {0, 1} of depth at most d, and a tuple of ciphertexts ct 1,..., ct k, the evaluation algorithm outputs an evaluated ciphertext ĉt. FHE.Decrypt(pk, sk, ĉt) ˆµ: On input a public key pk, secret key sk, and a ciphertext ĉt, the decryption algorithm outputs a message ˆµ {0, 1, }. We require an FHE scheme to satisfy compactness, correctness, and security as follows. 9

10 Definition 3.6 (Compactness). We say that a FHE scheme is compact if there exists a polynomial poly( ) such that for all λ, depth bound d, circuit C : {0, 1} k {0, 1} of depth at most d, and µ i {0, 1} for i [k], the following holds. For (pk, sk) FHE.Setup(1 λ, 1 d ), ct i FHE.Encrypt(pk, µ i ) for i [k], ĉt FHE.Eval(pk, C, ct 1,..., ct k ), we have that ĉt poly(λ, d). Definition 3.7 (Correctness). We say that a FHE scheme is correct if for all λ, depth bound d, circuit C : {0, 1} k {0, 1} of depth at most d, and µ i {0, 1} for i [k], the following holds. For (pk, sk) FHE.Setup(1 λ, 1 d ), ct i FHE.Encrypt(pk, µ i ) for i [k], and ĉt FHE.Eval(pk, C, ct 1,..., ct k ), Pr[FHE.Decrypt(pk, sk, ĉt) = C(µ 1,..., µ k )] = 1 negl(λ). Definition 3.8 (Security). We say that a FHE scheme satisfies security if for all λ, and depth bound d, the following holds. For any PPT adversary A, the following experiment Expt A,FHE (1 λ, 1 d ) outputs 1 with negligible probability: Expt A,FHE (1 λ, 1 d ): 1. On input the security parameter 1 λ, and a depth bound 1 d, the challenger runs (pk, sk) Setup(1 λ, 1 d ), and ct FHE.Encrypt(pk, b) for b r {0, 1}. It provides (pk, ct) to A. 2. A outputs a guess b. The experiment outputs 1 if b = b. Additional properties. In this work, we base our constructions on an FHE scheme satisfying a few additional properties. We refer to this type of FHE scheme as a special FHE scheme. Definition 3.9 (Special FHE). Let FHE be a fully homomorphic encryption scheme (Definition 3.5). We call FHE a special FHE scheme if it satisfies the following properties: 1. On input 1 λ and 1 d, the setup algorithm FHE.Setup outputs (pk, sk) where the public key contains a prime q, and the secret key sk is a vector sk Z m q for some m = poly(λ, d). 2. The decryption algorithm FHE.Decrypt consists of two functions (FHE.Decode 0, FHE.Decode 1 ) defined as follows: FHE.Decode 0 (sk, ct) p: On input an encryption of a message µ {0, 1}, and a secret key vector sk, outputs p Z q where p = µ q 2 + e for e [ cb, cb], B = B(λ, d, q), and e is an integer multiple of c. FHE.Decode 1 (p) µ: On input p Z q, it outputs µ = 1 if p [ q 4, q 4 ], and µ = 1 otherwise. 3. Decode 0 is a linear operation over Z q in the secret key sk. We refer to the bound B = B(λ, d, q) as the associated noise bound parameter of the construction and c the associated multiplicative constant. When context is clear, we will often drop the rounding notation and implicitly assume it for simplicity. As observed in [MW16], these properties are satisfied by simple modification on the constructions that are based on [GSW13]. We provide a high level description of the modification in Appendix B for reference. Constructions that are based on [BV14, BGV12] can also be adapted to satisfy these properties. 10

11 Theorem Fix the security parameter λ and depth bound d. Then, there exists a special FHE scheme satisfying Definition 3.9 with an associated noise bound B = 2Õ(d) assuming the hardness of LWE(n, m, q, χ) where n(λ), m(λ) = poly(λ), χ is a B lwe -bounded distribution for B lwe = poly(λ) and q = 2Õ(d). In particular, the FHE scheme can be based on approximating worst-case lattice problems on n-dimensional lattices to within 2Õ(d) factor. 4 Secret Sharing for Threshold Access Structures In this section, we provide general results on secret sharing that we use throughout this work. We start by establishing basic notations and terms in secret sharing in Section 4.1 and define threshold access structures in Section 4.2. Then, we define a special class of access structures that we call {0, 1}-LSSS and show that it contains the class of threshold access structures in Section Secret Sharing Preliminaries In this section, we provide an introduction to the basic notations and terms in secret sharing. Some of our definitions are adapted from [LW11] Access Structures Definition 4.1 (Monotone Access Structure). Let P = {P 1,..., P N } be a set of parties. A collection A P(P ) is monotone if for any sets B, C satisfying B A and B C P, we have C A. A monotone access structure on P is a monotone collection A P(P )\. The sets in A are called the valid sets and the sets in P(P )\A are called the invalid sets. Since we only consider monotone access structures in this work, we use the terms monotone access structure and just access structure interchangeably. For simplicity of notation, we generally identify a party with its index. Additionally, for a set of parties P = {P 1,..., P N }, and S P, we denote by x S the vector x S = (x 1,..., x N ) where x i = 1 if P i S and x i = 0 if P i / S. Definition 4.2 (Efficient Access Structure). Let P = {P 1,..., P N } be a set of parties and A P(P ) a monotone access structure on P. We say that A is efficient if there exists a polynomial size circuit f A : {0, 1} N {0, 1} such that for all S P, f A (x S ) = 1 if and only if S A. In this work, we will only consider efficient access structures. Definition 4.3 (Class of Monotone Access Structures). Let P = {P 1,..., P N } be a set of parties. A class of monotone access structures is a collection S = {A 1,..., A t } P(P(P )) of monotone access structures on P Secret Sharing We now define secret sharing for a class of access structures [CK93, BC94, BR07]. 11

12 Definition 4.4. Let P = {P 1,..., P N } be a set of parties and S be a class of efficient access structures. A secret sharing scheme SS for a secret space K is a tuple of PPT algorithms SS = (SS.Share, SS.Combine) defined as follows: SS.Share(k, A) (s 1,..., s N ): On input a secret k K and an access structure A, the sharing algorithm returns a set of shares s 1,..., s N for each parties. SS.Combine(B) k: On input a set of shares B = {s i } i S, the combining algorithm outputs a secret k K. A secret sharing scheme must satisfy the following correctness and privacy properties. Definition 4.5 (Correctness). For all S A, and k K, (s 1,..., s N ) SS.Share(k, A), we have SS.Combine({s i } i S ) = k. Definition 4.6 (Privacy). For all S / A, and k 0, k 1 K, (s b,1,..., s b,n ) SS.Share(k b, A) for b {0, 1}, the following distributions are identical {s 0,i } i S {s 1,i } i S. A useful definition for secret sharing schemes is the notion of maximal invalid party set and minimal valid party set. Definition 4.7. Let P = {P 1,..., P N } be a set of parties and A be a monotone access structure on P. Then, we define the following: A set of parties S P is a maximal invalid party set if S / A but for every P i P \S, we have S {P i } A. A set of parties S P is a minimal valid party set if S A and for every S S, we have S / A. Linear Secret Sharing. In this work, we base our constructions on a special class of secret sharing scheme called linear secret sharing scheme where the combining algorithm SS.Combine consists of linear operations. Definition 4.8 (Linear Secret Sharing Scheme). Let P = {P 1,..., P N } be a set of parties and S a class of efficient access structures on P. A secret sharing scheme SS with secret space K = Z p for some prime p is called a linear secret sharing scheme if the following properties are satisfied: SS.Share(k, A): There exists a matrix M Z l N p called the share matrix, and each party P i is associated with a partition T i [l]. To create the shares on a secret k, the sharing algorithm r first samples random values r 2,..., r n Zp, and define a vector w = M (k, r 2,..., r n ) T. The share for P i consists of the entries {w j } j Ti. SS.Combine(B): For any valid set S A, we have (1, 0,..., 0) span({m[j]} j i S T i ) 12

13 over Z p where M[j] denotes the jth row of M. Note that any valid set of parties S A can efficiently find the coefficients {c j } j i S T i satisfying j i S T i c j M[j] = (1, 0,..., 0) and recover the secret by computing k = j i S T i c j w j. We call the coefficients {c j } the recovery coefficients. In a linear secret sharing scheme, each party P i holds a set of scalars in Z p as shares. For our definitions and proofs, it is convenient to define an analogous definition to Definition 4.7 for these set of scalar elements. Definition 4.9. Let P = {P 1,..., P N } be a set of parties, S a class of efficient access structures on P, and SS a linear secret sharing scheme for S with share matrix M Z l N q. For a set of indices T [l], we say that T is a valid share set if (1, 0,..., 0) span({m[j]} j T ), and an invalid share set otherwise. We also define the following: A set of indices T [l] is a maximal invalid share set if T is an invalid share set, but for any i [l]\t, the set T {i} is a valid share set. A set of indices T [l] is a minimal valid share set if T is a valid share set, but for any T T, T is an invalid share set. For simplicity, we slightly abuse notation and refer to LSSS N as the class of access structure that can be supported by a linear secret sharing scheme on N parties. When the context is clear, we simply refer to LSSS N as just LSSS. Secret Sharing Vectors. In our application of linear secret sharing, we will always be sharing a vector s Z n q instead of a single scalar in Z p. Simply sharing each entry of the vector s using fresh randomness for each entry yields shares s 1,..., s l Z n p. It is easy to see that the secret s Z n q can be reconstructed as a linear combination of the shares s i using the same coefficients as for a single field element. It is also easy to see that the privacy property of the scheme is also maintained. 4.2 Threshold Access Structures In this section, we define the class of threshold access structures TAS and describe Shamir secret sharing [Sha79]. Definition 4.10 (TAS). Let P = {P 1,..., P N } be a set of parties. An access structure A t is called a threshold access structure if for every set of parties S P, we have S A t if and only if S t. We define TAS to be the class of all access structures A t for all t N. Instead of defining the algorithms of Shamir secret sharing formally, we just describe the properties of the scheme that we need. Theorem 4.11 (Shamir Secret Sharing). Let P = {P 1,..., P N } be a set of parties and let TAS be the class of threshold access structures on P. Then, there exists a linear secret sharing scheme (Definition 4.8) SS with secret space K = Z p for some prime p satisfying the following properties: 13

14 For any secret k Z p and A t TAS, each share for party P i consists of a single element w i Z p. For convenience of notation, we denote w 0 = k. For every i, j [N] {0} and set S [N] {0} of size t, there exists an efficiently computable Lagrange coefficients λ S i,j Z q such that w j = i S λ S i,j w i. For our purposes, we want the Lagrange coefficients to be low-norm values. However, a regular Lagrange coefficient have no bound on its norm. Therefore, for our construction, we take advantage of the fact that the Lagrange coefficients can be defined to be rational numbers and therefore, we can clear out their denominators [Sho00, ABV + 12]. Lemma 4.12 ([ABV + 12]). Let P = {P 1,..., P N } be a set of parties, TAS the class of threshold access structures on P, and SS a Shamir secret sharing scheme with secret space Z p for some prime p with (N!) 3 p. Then, for any set S [N] {0} of size t, and for any i, j [N], the product (N!) 2 λ S i,j is bound (N!) 2 λ S (N!) 3 interpretted as an integer. 4.3 Access Structures {0, 1}-LSSS i,j In this section, we define a special class of access structures that we denote by {0, 1}-LSSS that is contained in LSSS. This is the class of access structures that can be supported by a linear secret sharing scheme where the recovery coefficients are always binary. In Section 5.2, we construct a threshold fully homomorphic encryption scheme for these classes of access structures. We show in Section 4.2 that the class {0, 1}-LSSS contains the class of threshold access structures. Definition 4.13 ({0, 1}-LSSS). Let P = {P 1,..., P N } be a set of parties. The class of access structure {0, 1}-LSSS N is the collection of access structures A LSSS N (Definition 4.8) for which there exists an efficient linear secret sharing scheme SS = (SS.Share, SS.Combine) over the secret space K = Z p satsifying the following property: Let k be a shared secret and {w j } j Ti be the share of party P i for i [N]. Then, for every set S A, there exists a subset T i S T i such that k = j T w j. We call a linear secret sharing scheme that satisfy the properties above as a special linear secret sharing scheme. We note that for any special linear secret sharing scheme SS, and for any minimal valid share set T [l], we have that j T w j = k. Now, the fact that every access structure A {0, 1}-LSSS is efficient follows directly from the efficiency of the LSSS class. However, it is less clear that the set T of the definition above can be computed efficiently given any S A. We show that this is indeed the case in the following lemma. We provide the proof in Appendix C.1 14

15 Lemma Let P = {P 1,..., P N } be a set of parties, and SS a special linear secret sharing scheme for {0, 1}-LSSS. Then, for any access structure A {0, 1}-LSSS, and S A, the set T S as specified in Definition 4.13 can be computed efficiently. We now state the main theorem of this section. Theorem TAS {0, 1}-LSSS. To prove the lemma, we first define the class of access structures induced by monotone Boolean formulas. Definition 4.16 (Monotone Boolean Formula). A monotone Boolean formula C : {0, 1} N {0, 1} is a Boolean circuit with the following properties: There is a single output gate. Every gates is one of AND or OR gate with fan-in 2 and fan-out 1. The input wires can have multiple fan-out. Definition 4.17 (MBF). Let P = {P 1,..., P N } be a set of parties and C : {0, 1} N {0, 1} a monotone Boolean formula. An access structure A C is called a monotone boolean formula access structure if for every set of parties S P, we have S A if and only if C(x) = 1. We define MBF to be the class of all access structures A C for all monotone Boolean formula C. Now, Theorem 4.15 is implied by the following. Theorem 4.18 ([Val84, Gol14]). TAS MBF. Theorem 4.19 ([LW11]). MBF {0, 1}-LSSS. Although Theorem 4.19 is folklore, we provide the formal proof in Appendix C.2 for completeness. 5 Threshold Fully Homomorphic Encryption In this section, we present the definition of threshold fully homomorphic encryption (TFHE) for any class of access structures. Then, in Sections 5.2 and 5.3, we construct TFHE for the class of threshold access structure TAS. 5.1 Definitions Definition 5.1 (Threshold Fully Homomorphic Encryption (TFHE)). Let P = {P 1,..., P N } be a set of parties and let S be a class of efficient access structures on P. A threshold fully homomorphic encryption scheme for S is a tuple of PPT algorithms TFHE = (TFHE.Setup, TFHE.Encrypt, TFHE.Eval, TFHE.PartDec, TFHE.FinDec) with the following properties: TFHE.Setup(1 λ, 1 d, A) (pk, sk 1,..., sk N ): On input the security parameter λ, a depth bound d, and an access structure A, the setup algorithm outputs a public key pk, and a set of secret key shares sk 1,..., sk N. TFHE.Encrypt(pk, µ) ct: On input a public key pk, and a single bit plaintext µ {0, 1}, the encryption algorithm outputs a ciphertext ct. 15

16 TFHE.Eval(pk, C, ct 1,... ct k ) ĉt: On input a public key pk, circuit C : {0, 1} k {0, 1} of depth at most d, and a set of ciphertexts ct 1,..., ct k, the evaluation algorithm outputs a cipehrtext ĉt. TFHE.PartDec(pk, ct, sk i ) p i : On input a public key pk, a ciphertext ct, and a secret key share sk i, the partial decryption algorithm outputs a partial decryption p i related to the party P i. TFHE.FinDec(pk, B) ˆµ: On input a public key pk, and a set B = {p i } i S for some S {P 1,..., P N }, the final decryption algorithm outputs a plaintext ˆµ {0, 1, }. As in a standard FHE scheme, we require that a TFHE scheme satisfies compactness, correctness, and security. Definition 5.2 (Compactness). We say that a TFHE scheme is compact if there exists polynomials poly 1 ( ) and poly 2 ( ) such that for all λ, depth bound d, circuit C : {0, 1} k {0, 1} of depth at most d, and µ {0, 1}, the following holds. For (pk, sk 1,..., sk N ) TFHE.Setup(1 λ, 1 d, A), ct i TFHE.Encrypt(pk, µ i ) for i [k], ĉt TFHE.Eval(pk, C, ct 1,..., ct k ), p j TFHE.PartDec(pk, ct, sk j ) for any j [N], ĉt poly(λ, d) and p j poly(λ, d, N). Definition 5.3 (Evaluation Correctness). We say that a TFHE scheme satisfies evaluation correctness if for all λ, depth bound d, access structure A, circuit C : {0, 1} k {0, 1} of depth at most d, S A, and µ i {0, 1} for i [k], the following condition holds. For (pk, sk 1,..., sk N ) TFHE.Setup(1 λ, 1 d, A), ct i TFHE.Encrypt(pk, µ i ) for i [k], ĉt TFHE.Eval(pk, C, ct 1,..., ct k ), Pr[TFHE.FinDec(pk, {TFHE.PartDec(pk, ct, sk i )} i S ) = C(µ 1,..., µ k )] = 1 negl(λ). Definition 5.4 (Semantic Security). We say that a TFHE scheme satisfies semantic security if for all λ, and depth bound d, the following holds. For any PPT adversary A, the following experiment Expt A,TFHE,sem (1 λ, 1 d ) outputs 1 with negligible probability: Expt A,TFHE,sem (1 λ, 1 d ): 1. On input the security parameter 1 λ and a circuit depth 1 d, the adversary A outputs A S. 2. The challenger runs (pk, sk 1,..., sk N ) TFHE.Setup(1 λ, 1 d, A) and provides pk to A. 3. A outputs a set S {P 1,..., P N } such that S / A. 4. The challenger provides {sk i } i S along with TFHE.Encrypt(pk, b) for b r {0, 1} to A. 5. A outputs a guess b. The experiment outputs 1 if b = b. We now describe the notion of simulation security for TFHE. Intuitively, simulation security definition says that no information about the key shares or the messages µ 1,..., µ k should be leaked by the partial or final decryption other than what is already implied by the result of the homomorphic operation C(µ 1,..., µ k ). Definition 5.5 (Simulation Security). We say that a TFHE scheme satisfies simulation security if for all λ, depth bound d, and access structure A, the following holds. There exists a stateful PPT algorithm S = (S 1, S 2 ) such that for any PPT adversary A, the following experiments Expt A,Real (1 λ, 1 d ) and Expt A,Ideal (1 λ, 1 d ) are indistinguishable: 16

17 Expt A,Real (1 λ, 1 d ): 1. On input the security parameter 1 λ and a circuit depth 1 d, the adversary A outputs A S. 2. The challenger runs (pk, sk 1,..., sk N ) TFHE.Setup(1 λ, 1 d, A) and provides pk to A. 3. A outputs a maximal invalid party set S {P 1,..., P N } and messages µ 1,..., µ k {0, 1}. 4. The challenger provides the keys {sk i } i S and {TFHE.Encrypt(pk, µ i )} i [k] to A. 5. A issues a polynomial number of adaptive queries of the form (S {P 1,..., P N }, C) for circuits C : {0, 1} k {0, 1} of depth at most d. For each query, the challenger computes ĉt TFHE.Eval(pk, C, ct 1,..., ct k ) and provides {TFHE.PartDec(pk, ĉt, sk i )} i S to A. 6. At the end of the experiment, A outputs a distinguishing bit b. Expt A,Ideal (1 λ, 1 d ): 1. On input the security parameter 1 λ and a circuit depth 1 d, the adversary A outputs A S. 2. The challenger runs (pk, sk 1,... sk N, st) S 1 (1 λ, 1 d, A) and provides pk to A. 3. A outputs a maximal invalid party set S {P 1,..., P N } and messages µ 1,..., µ k {0, 1}. 4. The challenger provides the keys {sk i } i S and {TFHE.Encrypt(pk, µ i )} i [k] to A. 5. A issues a polynomial number of adaptive queries of the form (S {P 1,..., P N }, C) for circuits C : {0, 1} k {0, 1} of depth at most d. For each query, the challenger runs the simulator {p i } i S S 2 (C, {ct 1,..., ct k }, C(µ 1,..., µ k ), S, st) and sends {p i } i S to A. 6. At the end of the experiment, A outputs a distinguishing bit b. 5.2 TFHE using {0, 1}-LSSS In this section, we present our construction of TFHE for the class of access structures {0, 1}-LSSS. We note that by Theorem 4.15, this gives a TFHE scheme for the class of threshold access structures TAS. Construction 5.6. Let P = {P 1,..., P N } be a set of parties. Our TFHE construction relies on the following primitives: Let FHE = (FHE.Setup, FHE.Encrypt, FHE.Eval, FHE.Decrypt) be a special fully homomorphic encryption scheme with noise bound B = B(λ, d, q) and multiplicative constant 1 (Definition 3.9). Let SS = (SS.Share, SS.Combine) be a special linear secret sharing scheme (Definition 4.13). We use T i to denote a partition of the share matrix and use {s j } j Ti to denote a share associated with P i consisting of elements in Z q. We also use l = l(λ, N) to denote a fixed polynomial bound on the size of the share: T i l for all i [N]. We also fix a parameter B sm that specifies the bound on the smuding noise (see Section 5.2.1). We construct TFHE = (TFHE.Setup, TFHE.Encrypt, TFHE.Eval, TFHE.PartDec, TFHE.FinDec) as follows: TFHE.Setup(1 λ, 1 d, A): On input the security parameter λ, depth bound d, and an access structure A, the setup algorithm generates the FHE keys (fhepk, fhesk) FHE.Setup(1 λ, 1 d ). 17